Dreamhost hijacking my prefix...

Andree Toonk andree+nanog at toonk.nl
Fri Jan 11 16:46:57 UTC 2013


Hi,
Here's a quick summary of what we saw at BGPMon.net.

At 2013-01-11 14:14:13 we saw announcements (seemingly) originated by
26347, for prefixes normally announced by other ASn's (origin change /
hijack).

This seems to have affected 112 prefixes for 110 ASn's [1], including
Rogers, Tata, Sprint, Ziggo, Verizon, KPN, Vodafone, CloudFlare, XS4ALL,
AT&T, Bell Canada and many more.
Most of these were new more specific(!) announcements.

With regards to next-hop ASN's (peers). It seems this hijack was
propagated via 12 unique (AS26347) peers [1]

A quick look at the prefix that was mentioned by Jeff, 150.182.208.0/20
(more specific of 50.182.192.0/18)
The first announcement for this prefix was seen at 2013-01-11 14:14:28
and withdrawn at 2013-01-11 15:20:57.  It was detected by 42 unique peers.

some example paths:
271 6939 26347
5580 26347|
37312 5713 6939 26347
1126 24785 12989 26347

[1] I've posted some details  (Unique next-hop ASN's and affected origin
ASN's), check if your AS was affected here:
http://portal.bgpmon.net/data/hijack20130111.txt

Cheers,
 Andree




.-- My secret spy satellite informs me that at 2013-01-11 7:23 AM  Jeff
Kell wrote:
> Not sure how widespread their "leakage" may be, but Dreamhost just
> hijacked one of my prefixes...
> 
>> ====================================================================
>> Possible Prefix Hijack (Code: 10)
>> ====================================================================
>> Your prefix:          150.182.192.0/18: 
>> Update time:          2013-01-11 14:14 (UTC)
>> Detected by #peers:   11
>> Detected prefix:      150.182.208.0/20 
>> Announced by:         AS26347 (DREAMHOST-AS - New Dream Network, LLC)
>> Upstream AS:          AS42861 (PRIME-LINE-AS JSC "Prime-Line")
>> ASpath:               8331 42861 42861 42861 26347 
> 
> Anyone have a contact there?  ASinfo gives netops at dreamhost.com where I
> have submitted a report, but so far no joy...
> 
> Jeff
> 
> 
> 




More information about the NANOG mailing list